We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using Basic authentication method. Since the Basic method is deprecated, some servers require e.g. Digest instead. selfoss did not support that.
Let’s make selfoss use any HTTP authentication method the server offers in the WWW-Authenticate header using the CURLAUTH_ANY flag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge.
One downside is that authentication will no longer be attempted if the challenge response does not return 401 Unauthorized and WWW-Authenticate header. I can imagine a website that would return 200 OK and a feed only containing public data when no credentials are provided, private data only being included when the request contains Authorization header with credentials for the unadvertised Basic auth. This patch would silently change such feeds to the public mode.
We are using CURLAUTH_ANY instead of CURLAUTH_ANYSAFE since some sites still only support Basic auth. Either flag will still choose the best available authentication method so it will be strictly better than the default CURLAUTH_BASIC.
We use curl Guzzle backend to make HTTP requests. When credentials are given in the URI, curl will send them in the request using
Basic
authentication method. Since theBasic
method is deprecated, some servers require e.g.Digest
instead. selfoss did not support that.Let’s make selfoss use any HTTP authentication method the server offers in the
WWW-Authenticate
header using theCURLAUTH_ANY
flag. This will make curl perform one extra GET request (only when credentials are provided) to obtain the authentication challenge.One downside is that authentication will no longer be attempted if the challenge response does not return
401 Unauthorized
andWWW-Authenticate
header. I can imagine a website that would return200 OK
and a feed only containing public data when no credentials are provided, private data only being included when the request containsAuthorization
header with credentials for the unadvertisedBasic
auth. This patch would silently change such feeds to the public mode.We are using
CURLAUTH_ANY
instead ofCURLAUTH_ANYSAFE
since some sites still only supportBasic
auth. Either flag will still choose the best available authentication method so it will be strictly better than the defaultCURLAUTH_BASIC
.Fixes: https://github.com/fossar/selfoss/issues/1486